Security Services
Last updated
Last updated
Incident detection service in AWS that monitors the most important logs in AWS.
Can add your own IOC IP addresses to alert on.
TA can add their IP address to be ignored in alerts (defense evasion)
AWS CloudTrail logs
Amazon Virtual Private Cloud (Amazon VPC) flow logs
Amazon Route 53 DNS logs
(Optional) EKS Audit logging
(Optional) Lambda protection
(Optional) Malware protection in storage
(Optional) RDS protection
(Optional) Runtime protection for ECS and EC2
(Optional) S3 protection using S3 logging
GuardDuty is regional needs to be enabled in each region and in every account you use
Use Security Hub to centralize findings
Collection of logs is out-of-band and does not interfere with existing configuration
Doesn’t work on historical logs only forward in time IR use case
GuardDuty is a very good indicator for incidents in AWS
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure.
EC2 instances works on Windows and Linux
Container images in the container registry
AWS Lambda functions
Uses Amazon Systems Manager (SSM) to perform scanning on instances
Scans for vulnerabilities in the operating system as well as the software packages used
Lambda scanning also allows for scanning of code for potential vulnerabilities
AWS CloudTrail logs
Amazon Virtual Private Cloud (Amazon VPC) flow logs
For accounts that are enrolled in GuardDuty, Detective also ingests GuardDuty findings
(Optional) Amazon EKS Audit Logs
(Optional) AWS Security findings from Security Hub